Encrypted password question

Clash Royale CLAN TAG#URR8PPP

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;

up vote
1
down vote

favorite

I noticed in the html of my router this parameter:

form.addParameter('Password', base64encode(SHA256(Password.value)));

So when I type in the password passw I get this via sslstrip:

2018-09-25 21:13:31,605 POST Data (192.168.1.1):
Username=acc&Password=ZTQ1ZDkwOTU3ZWVjNzM4NzcyNmM2YTFiMTc0ZGE3YjU2NmEyNGZmNGNiMDYwZGNiY2RmZWJiOTMxYTkzZmZlMw%3D%3D

Is this hash easy to crack via bruteforce/dictionary? I am still a beginner, but that looks like double encryption to me.
Also, is there some faster way of getting this password than cracking it?

encryption passwords

share|improve this question

edited 2 hours ago

schroeder♦

65.4k25139176

asked 2 hours ago

MyWays

82

New contributor

MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
1
down vote

favorite

I noticed in the html of my router this parameter:

form.addParameter('Password', base64encode(SHA256(Password.value)));

So when I type in the password passw I get this via sslstrip:

2018-09-25 21:13:31,605 POST Data (192.168.1.1):
Username=acc&Password=ZTQ1ZDkwOTU3ZWVjNzM4NzcyNmM2YTFiMTc0ZGE3YjU2NmEyNGZmNGNiMDYwZGNiY2RmZWJiOTMxYTkzZmZlMw%3D%3D

Is this hash easy to crack via bruteforce/dictionary? I am still a beginner, but that looks like double encryption to me.
Also, is there some faster way of getting this password than cracking it?

encryption passwords

share|improve this question

edited 2 hours ago

schroeder♦

65.4k25139176

asked 2 hours ago

MyWays

82

New contributor

MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
1
down vote

favorite

up vote
1
down vote

favorite

I noticed in the html of my router this parameter:

form.addParameter('Password', base64encode(SHA256(Password.value)));

So when I type in the password passw I get this via sslstrip:

2018-09-25 21:13:31,605 POST Data (192.168.1.1):
Username=acc&Password=ZTQ1ZDkwOTU3ZWVjNzM4NzcyNmM2YTFiMTc0ZGE3YjU2NmEyNGZmNGNiMDYwZGNiY2RmZWJiOTMxYTkzZmZlMw%3D%3D

Is this hash easy to crack via bruteforce/dictionary? I am still a beginner, but that looks like double encryption to me.
Also, is there some faster way of getting this password than cracking it?

encryption passwords

share|improve this question

edited 2 hours ago

schroeder♦

65.4k25139176

asked 2 hours ago

MyWays

82

New contributor

MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

I noticed in the html of my router this parameter:

form.addParameter('Password', base64encode(SHA256(Password.value)));

So when I type in the password passw I get this via sslstrip:

2018-09-25 21:13:31,605 POST Data (192.168.1.1):
Username=acc&Password=ZTQ1ZDkwOTU3ZWVjNzM4NzcyNmM2YTFiMTc0ZGE3YjU2NmEyNGZmNGNiMDYwZGNiY2RmZWJiOTMxYTkzZmZlMw%3D%3D

Is this hash easy to crack via bruteforce/dictionary? I am still a beginner, but that looks like double encryption to me.
Also, is there some faster way of getting this password than cracking it?

encryption passwords

encryption passwords

share|improve this question

edited 2 hours ago

schroeder♦

65.4k25139176

asked 2 hours ago

MyWays

82

New contributor

MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited 2 hours ago

schroeder♦

65.4k25139176

asked 2 hours ago

MyWays

82

New contributor

MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

share|improve this question

edited 2 hours ago

schroeder♦

65.4k25139176

edited 2 hours ago

schroeder♦

65.4k25139176

edited 2 hours ago

schroeder♦

65.4k25139176

65.4k25139176

asked 2 hours ago

MyWays

82

New contributor

MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 2 hours ago

MyWays

82

asked 2 hours ago

MyWays

82

82

New contributor

MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

New contributor

MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

MyWays is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

add a comment | 

2 Answers
2

active

oldest

votes

up vote
3
down vote



accepted

It's a base64 unsalted sha256 hash. It's not double encryption, but a not needed encoding.

An unsalted hash means it's trivial to just search the hash on Google and probably it will find the result.

share|improve this answer

answered 2 hours ago

ThoriumBR

17.7k44264

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Only trivial if the password is common.
  – zaph
  1 hour ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  I meant "is trivial to search", not to find the password. But to bruteforce SHA256 using any bitcoin ASIC is trivial too. A Dragonmint 16T can do 16TH/s and would bruteforce a 12 chars alphanumeric password in less than 100 hours. A 8 chars alphanumeric would fail in a tenth of a second...
  – ThoriumBR
  53 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Sure a Dragonmint is fast and specialized hardware. That is why using SHA256 is not secure for passwords, what is needed is a slow method such as PBKDF2, Argon2i or comparable methods, these are slow and should be used with parameters to require about 100ms or CPU time and additionally Argon2i requires substantial memory as well. Try e88f244abd61582387cc2afc0476e112550f24395cdf338ed7ad7deace2e6ebe, it is a the SHA-256 hash of a 12 character password.
  – zaph
  7 mins ago
  
  

  
  
  
  

add a comment | 

up vote
2
down vote

I URL decoded it, then decoded it from base64, then passed it to an online hash database.

The result was:

Hash Type Result
e45d90957eec7387726c6a1b174da7b566a24ff4cb060dcbcdfebb931a93ffe3 sha256 passw

share|improve this answer

edited 53 mins ago

answered 2 hours ago

schroeder♦

65.4k25139176

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

MyWays is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f194460%2fencrypted-password-question%23new-answer', 'question_page');

);

Post as a guest

Name Email

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
3
down vote



accepted

It's a base64 unsalted sha256 hash. It's not double encryption, but a not needed encoding.

An unsalted hash means it's trivial to just search the hash on Google and probably it will find the result.

share|improve this answer

answered 2 hours ago

ThoriumBR

17.7k44264

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Only trivial if the password is common.
  – zaph
  1 hour ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  I meant "is trivial to search", not to find the password. But to bruteforce SHA256 using any bitcoin ASIC is trivial too. A Dragonmint 16T can do 16TH/s and would bruteforce a 12 chars alphanumeric password in less than 100 hours. A 8 chars alphanumeric would fail in a tenth of a second...
  – ThoriumBR
  53 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Sure a Dragonmint is fast and specialized hardware. That is why using SHA256 is not secure for passwords, what is needed is a slow method such as PBKDF2, Argon2i or comparable methods, these are slow and should be used with parameters to require about 100ms or CPU time and additionally Argon2i requires substantial memory as well. Try e88f244abd61582387cc2afc0476e112550f24395cdf338ed7ad7deace2e6ebe, it is a the SHA-256 hash of a 12 character password.
  – zaph
  7 mins ago
  
  

  
  
  
  

add a comment | 

up vote
3
down vote



accepted

It's a base64 unsalted sha256 hash. It's not double encryption, but a not needed encoding.

An unsalted hash means it's trivial to just search the hash on Google and probably it will find the result.

share|improve this answer

answered 2 hours ago

ThoriumBR

17.7k44264

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Only trivial if the password is common.
  – zaph
  1 hour ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  I meant "is trivial to search", not to find the password. But to bruteforce SHA256 using any bitcoin ASIC is trivial too. A Dragonmint 16T can do 16TH/s and would bruteforce a 12 chars alphanumeric password in less than 100 hours. A 8 chars alphanumeric would fail in a tenth of a second...
  – ThoriumBR
  53 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Sure a Dragonmint is fast and specialized hardware. That is why using SHA256 is not secure for passwords, what is needed is a slow method such as PBKDF2, Argon2i or comparable methods, these are slow and should be used with parameters to require about 100ms or CPU time and additionally Argon2i requires substantial memory as well. Try e88f244abd61582387cc2afc0476e112550f24395cdf338ed7ad7deace2e6ebe, it is a the SHA-256 hash of a 12 character password.
  – zaph
  7 mins ago
  
  

  
  
  
  

add a comment | 

up vote
3
down vote



accepted

up vote
3
down vote



accepted

It's a base64 unsalted sha256 hash. It's not double encryption, but a not needed encoding.

An unsalted hash means it's trivial to just search the hash on Google and probably it will find the result.

share|improve this answer

answered 2 hours ago

ThoriumBR

17.7k44264

It's a base64 unsalted sha256 hash. It's not double encryption, but a not needed encoding.

An unsalted hash means it's trivial to just search the hash on Google and probably it will find the result.

share|improve this answer

answered 2 hours ago

ThoriumBR

17.7k44264

share|improve this answer

share|improve this answer

answered 2 hours ago

ThoriumBR

17.7k44264

answered 2 hours ago

ThoriumBR

17.7k44264

answered 2 hours ago

ThoriumBR

17.7k44264

17.7k44264

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Only trivial if the password is common.
  – zaph
  1 hour ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  I meant "is trivial to search", not to find the password. But to bruteforce SHA256 using any bitcoin ASIC is trivial too. A Dragonmint 16T can do 16TH/s and would bruteforce a 12 chars alphanumeric password in less than 100 hours. A 8 chars alphanumeric would fail in a tenth of a second...
  – ThoriumBR
  53 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Sure a Dragonmint is fast and specialized hardware. That is why using SHA256 is not secure for passwords, what is needed is a slow method such as PBKDF2, Argon2i or comparable methods, these are slow and should be used with parameters to require about 100ms or CPU time and additionally Argon2i requires substantial memory as well. Try e88f244abd61582387cc2afc0476e112550f24395cdf338ed7ad7deace2e6ebe, it is a the SHA-256 hash of a 12 character password.
  – zaph
  7 mins ago
  
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Only trivial if the password is common.
  – zaph
  1 hour ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  I meant "is trivial to search", not to find the password. But to bruteforce SHA256 using any bitcoin ASIC is trivial too. A Dragonmint 16T can do 16TH/s and would bruteforce a 12 chars alphanumeric password in less than 100 hours. A 8 chars alphanumeric would fail in a tenth of a second...
  – ThoriumBR
  53 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Sure a Dragonmint is fast and specialized hardware. That is why using SHA256 is not secure for passwords, what is needed is a slow method such as PBKDF2, Argon2i or comparable methods, these are slow and should be used with parameters to require about 100ms or CPU time and additionally Argon2i requires substantial memory as well. Try e88f244abd61582387cc2afc0476e112550f24395cdf338ed7ad7deace2e6ebe, it is a the SHA-256 hash of a 12 character password.
  – zaph
  7 mins ago
  
  

  
  
  
  

Only trivial if the password is common.
– zaph
1 hour ago

Only trivial if the password is common.
– zaph
1 hour ago

1

1

I meant "is trivial to search", not to find the password. But to bruteforce SHA256 using any bitcoin ASIC is trivial too. A Dragonmint 16T can do 16TH/s and would bruteforce a 12 chars alphanumeric password in less than 100 hours. A 8 chars alphanumeric would fail in a tenth of a second...
– ThoriumBR
53 mins ago

I meant "is trivial to search", not to find the password. But to bruteforce SHA256 using any bitcoin ASIC is trivial too. A Dragonmint 16T can do 16TH/s and would bruteforce a 12 chars alphanumeric password in less than 100 hours. A 8 chars alphanumeric would fail in a tenth of a second...
– ThoriumBR
53 mins ago

Sure a Dragonmint is fast and specialized hardware. That is why using SHA256 is not secure for passwords, what is needed is a slow method such as PBKDF2, Argon2i or comparable methods, these are slow and should be used with parameters to require about 100ms or CPU time and additionally Argon2i requires substantial memory as well. Try e88f244abd61582387cc2afc0476e112550f24395cdf338ed7ad7deace2e6ebe, it is a the SHA-256 hash of a 12 character password.
– zaph
7 mins ago

Sure a Dragonmint is fast and specialized hardware. That is why using SHA256 is not secure for passwords, what is needed is a slow method such as PBKDF2, Argon2i or comparable methods, these are slow and should be used with parameters to require about 100ms or CPU time and additionally Argon2i requires substantial memory as well. Try e88f244abd61582387cc2afc0476e112550f24395cdf338ed7ad7deace2e6ebe, it is a the SHA-256 hash of a 12 character password.
– zaph
7 mins ago

add a comment | 

up vote
2
down vote

I URL decoded it, then decoded it from base64, then passed it to an online hash database.

The result was:

Hash Type Result
e45d90957eec7387726c6a1b174da7b566a24ff4cb060dcbcdfebb931a93ffe3 sha256 passw

share|improve this answer

edited 53 mins ago

answered 2 hours ago

schroeder♦

65.4k25139176

add a comment | 

up vote
2
down vote

I URL decoded it, then decoded it from base64, then passed it to an online hash database.

The result was:

Hash Type Result
e45d90957eec7387726c6a1b174da7b566a24ff4cb060dcbcdfebb931a93ffe3 sha256 passw

share|improve this answer

edited 53 mins ago

answered 2 hours ago

schroeder♦

65.4k25139176

add a comment | 

up vote
2
down vote

up vote
2
down vote

I URL decoded it, then decoded it from base64, then passed it to an online hash database.

The result was:

Hash Type Result
e45d90957eec7387726c6a1b174da7b566a24ff4cb060dcbcdfebb931a93ffe3 sha256 passw

share|improve this answer

edited 53 mins ago

answered 2 hours ago

schroeder♦

65.4k25139176

I URL decoded it, then decoded it from base64, then passed it to an online hash database.

The result was:

Hash Type Result
e45d90957eec7387726c6a1b174da7b566a24ff4cb060dcbcdfebb931a93ffe3 sha256 passw

share|improve this answer

edited 53 mins ago

answered 2 hours ago

schroeder♦

65.4k25139176

share|improve this answer

share|improve this answer

edited 53 mins ago

edited 53 mins ago

edited 53 mins ago

answered 2 hours ago

schroeder♦

65.4k25139176

answered 2 hours ago

schroeder♦

65.4k25139176

answered 2 hours ago

schroeder♦

65.4k25139176

65.4k25139176

add a comment | 

add a comment | 

MyWays is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

MyWays is a new contributor. Be nice, and check out our Code of Conduct.

MyWays is a new contributor. Be nice, and check out our Code of Conduct.

MyWays is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f194460%2fencrypted-password-question%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email